import UBI libtiff-4.0.9-29.el8_8
This commit is contained in:
		
							parent
							
								
									bbcdf7ef1c
								
							
						
					
					
						commit
						e13cf90142
					
				| @ -0,0 +1,128 @@ | ||||
| From 73b3f582caa08a976d647537346790b182bbcc10 Mon Sep 17 00:00:00 2001 | ||||
| From: Even Rouault <even.rouault@spatialys.com> | ||||
| Date: Sun, 5 Feb 2023 15:53:16 +0000 | ||||
| Subject: [PATCH] (CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 | ||||
|  CVE-2023-0804) tiffcrop: added check for assumption on composite images | ||||
|  (fixes #496) | ||||
| 
 | ||||
| Closes #501, #500, #498, #497 et #496 | ||||
| 
 | ||||
| See merge request libtiff/libtiff!466 | ||||
| 
 | ||||
| (cherry picked from commit 33aee1275d9d1384791d2206776eb8152d397f00) | ||||
| ---
 | ||||
|  tools/tiffcrop.c | 68 ++++++++++++++++++++++++++++++++++++++++++++++-- | ||||
|  1 file changed, 66 insertions(+), 2 deletions(-) | ||||
| 
 | ||||
| diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
 | ||||
| index 7f738d91..77923cf3 100644
 | ||||
| --- a/tools/tiffcrop.c
 | ||||
| +++ b/tools/tiffcrop.c
 | ||||
| @@ -5235,18 +5235,40 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
 | ||||
|   | ||||
|        crop->regionlist[i].buffsize = buffsize; | ||||
|        crop->bufftotal += buffsize; | ||||
| +
 | ||||
| +      /* For composite images with more than one region, the
 | ||||
| +       * combined_length or combined_width always needs to be equal,
 | ||||
| +       * respectively.
 | ||||
| +       * Otherwise, even the first section/region copy
 | ||||
| +       * action might cause buffer overrun. */
 | ||||
|        if (crop->img_mode == COMPOSITE_IMAGES) | ||||
|          { | ||||
|          switch (crop->edge_ref) | ||||
|            { | ||||
|            case EDGE_LEFT: | ||||
|            case EDGE_RIGHT: | ||||
| +               if (i > 0 && zlength != crop->combined_length)
 | ||||
| +               {
 | ||||
| +                   TIFFError(
 | ||||
| +                       "computeInputPixelOffsets",
 | ||||
| +                       "Only equal length regions can be combined for "
 | ||||
| +                       "-E left or right");
 | ||||
| +                   return (-1);
 | ||||
| +               }
 | ||||
|                 crop->combined_length = zlength; | ||||
|                 crop->combined_width += zwidth; | ||||
|                 break; | ||||
|            case EDGE_BOTTOM: | ||||
|            case EDGE_TOP:  /* width from left, length from top */ | ||||
|            default: | ||||
| +               if (i > 0 && zwidth != crop->combined_width)
 | ||||
| +               {
 | ||||
| +                   TIFFError("computeInputPixelOffsets",
 | ||||
| +                             "Only equal width regions can be "
 | ||||
| +                             "combined for -E "
 | ||||
| +                             "top or bottom");
 | ||||
| +                   return (-1);
 | ||||
| +               }
 | ||||
|                 crop->combined_width = zwidth; | ||||
|                 crop->combined_length += zlength; | ||||
|  	       break; | ||||
| @@ -6390,6 +6412,46 @@ extractCompositeRegions(struct image_data *image,  struct crop_mask *crop,
 | ||||
|    crop->combined_width = 0; | ||||
|    crop->combined_length = 0; | ||||
|   | ||||
| +  /* If there is more than one region, check beforehand whether all the width
 | ||||
| +   * and length values of the regions are the same, respectively. */
 | ||||
| +  switch (crop->edge_ref)
 | ||||
| +  {
 | ||||
| +      default:
 | ||||
| +      case EDGE_TOP:
 | ||||
| +      case EDGE_BOTTOM:
 | ||||
| +          for (i = 1; i < crop->selections; i++)
 | ||||
| +          {
 | ||||
| +              uint32_t crop_width0 =
 | ||||
| +                  crop->regionlist[i - 1].x2 - crop->regionlist[i - 1].x1 + 1;
 | ||||
| +              uint32_t crop_width1 =
 | ||||
| +                  crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
 | ||||
| +              if (crop_width0 != crop_width1)
 | ||||
| +              {
 | ||||
| +                  TIFFError("extractCompositeRegions",
 | ||||
| +                            "Only equal width regions can be combined for -E "
 | ||||
| +                            "top or bottom");
 | ||||
| +                  return (1);
 | ||||
| +              }
 | ||||
| +          }
 | ||||
| +          break;
 | ||||
| +      case EDGE_LEFT:
 | ||||
| +      case EDGE_RIGHT:
 | ||||
| +          for (i = 1; i < crop->selections; i++)
 | ||||
| +          {
 | ||||
| +              uint32_t crop_length0 =
 | ||||
| +                  crop->regionlist[i - 1].y2 - crop->regionlist[i - 1].y1 + 1;
 | ||||
| +              uint32_t crop_length1 =
 | ||||
| +                  crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
 | ||||
| +              if (crop_length0 != crop_length1)
 | ||||
| +              {
 | ||||
| +                  TIFFError("extractCompositeRegions",
 | ||||
| +                            "Only equal length regions can be combined for "
 | ||||
| +                            "-E left or right");
 | ||||
| +                  return (1);
 | ||||
| +              }
 | ||||
| +          }
 | ||||
| +  }
 | ||||
| +
 | ||||
|    for (i = 0; i < crop->selections; i++) | ||||
|      { | ||||
|      /* rows, columns, width, length are expressed in pixels */ | ||||
| @@ -6414,7 +6476,8 @@ extractCompositeRegions(struct image_data *image,  struct crop_mask *crop,
 | ||||
|        default: | ||||
|        case EDGE_TOP: | ||||
|        case EDGE_BOTTOM: | ||||
| -	   if ((i > 0) && (crop_width != crop->regionlist[i - 1].width))
 | ||||
| +	   if ((crop->selections > i + 1) &&
 | ||||
| +                 (crop_width != crop->regionlist[i + 1].width))
 | ||||
|               { | ||||
|  	     TIFFError ("extractCompositeRegions",  | ||||
|                            "Only equal width regions can be combined for -E top or bottom"); | ||||
| @@ -6495,7 +6558,8 @@ extractCompositeRegions(struct image_data *image,  struct crop_mask *crop,
 | ||||
|  	   break; | ||||
|        case EDGE_LEFT:  /* splice the pieces of each row together, side by side */ | ||||
|        case EDGE_RIGHT: | ||||
| -	   if ((i > 0) && (crop_length != crop->regionlist[i - 1].length))
 | ||||
| +	   if ((crop->selections > i + 1) &&
 | ||||
| +                 (crop_length != crop->regionlist[i + 1].length))
 | ||||
|               { | ||||
|  	     TIFFError ("extractCompositeRegions",  | ||||
|                            "Only equal length regions can be combined for -E left or right"); | ||||
| @ -1,7 +1,7 @@ | ||||
| Summary:       Library of functions for manipulating TIFF format image files | ||||
| Name:          libtiff | ||||
| Version:       4.0.9 | ||||
| Release:       28%{?dist} | ||||
| Release:       29%{?dist} | ||||
| License:       libtiff | ||||
| Group:         System Environment/Libraries | ||||
| URL:           http://www.simplesystems.org/libtiff/ | ||||
| @ -48,6 +48,7 @@ Patch0034: 0034-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-CVE-2022-2.patch | ||||
| Patch0035: 0035-CVE-2022-3597-CVE-2022-3626-CVE-2022-3627-tiffcrop-d.patch | ||||
| Patch0036: 0036-CVE-2022-3970-TIFFReadRGBATileExt-fix-unsigned-integ.patch | ||||
| Patch0037: 0037-CVE-2022-48281-tiffcrop-Correct-simple-copy-paste-er.patch | ||||
| Patch0038: 0038-CVE-2023-0800-CVE-2023-0801-CVE-2023-0802-CVE-2023-0.patch | ||||
| 
 | ||||
| 
 | ||||
| BuildRequires: gcc, gcc-c++ | ||||
| @ -202,6 +203,10 @@ find html -name 'Makefile*' | xargs rm | ||||
| %{_mandir}/man1/* | ||||
| 
 | ||||
| %changelog | ||||
| * Tue Aug 08 2023 Matej Mužila <mmuzila@redhat.com> - 4.0.9-29 | ||||
| - Fix CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 CVE-2023-0804 | ||||
| - Resolves: RHEL-5075 RHEL-5078 RHEL-5079 RHEL-5080 RHEL-5081 | ||||
| 
 | ||||
| * Tue May 16 2023 Matej Mužila <mmuzila@redhat.com> - 4.0.9-28 | ||||
| - Fix CVE-2022-48281 | ||||
| - Resolves: CVE-2022-48281 | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user